Monthly Archives: September 2013

This month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent. Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid. Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy. Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers. It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

The Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls. The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator. The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls. DM Design, was fined £90,000. In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims. These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area. For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

Encryption: do you understand the options available and how you can use them?

The Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation. If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Following the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important. After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

It is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure. It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office. If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information. Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.

This article has been written to help companies, particularly SMEs, understand the significance and importance of strong data security and excellent staff training, specifically in relation to data protection compliance within their own businesses when dealing with personal and sensitive data.

Apart from the obvious necessity to keep your premises physically secure, and shred any confidential paperwork, there are four main areas covered by this article:

Computer Security

Encryption

Emails

Staff Training

Computer security

Protecting your computers and computer networks includes a number of steps, which can be relatively simple and straightforward to implement. As is often the way, anything is simple if you know what to do and how to do it. For example, simple security steps include:

Protection Installing firewalls and virus-checking tools

Updates Keeping the operating system updated automatically ongoing

Security updates Staying aware of the latest security patches and updates, and downloading when available

Back-ups are an essential part of computer hygiene – regular backups should be taken and kept separately so that if your computers are lost, you still have the information available.

Disposal When you get rid of a computer, it is vital to ensure that all personal information before you move it on. I always remove the hard drive, and smash it into small pieces – which is probably overkill, but it works for me! There are other “technical” solutions, but I prefer to destroy the hard drive and know that it’s gone for ever.

Spam filters Ensure that you either have spam filters on your computers or that you use an email provider that offers this service.

Encryption

If sensitive personal information is stolen or lost, it is highly likely to cause damage or distress. To minimise the risk of disclosure, any such personal information really should be encrypted. The truth is that login usernames and passwords offer only minimal protection – absolutely not enough to protect against illegal – or simply unauthorised – access. It is also worth remembering that enormous volumes of data can now be stored on tiny devices from memory sticks to smartphones.

Encryption can be a tricky area, so if you are uncertain of how encryption works, or the strengths and weaknesses of various types of encryption, Tony Schiffman can provide useful advice on how to keep your information secure. Just drop him a line at tony@datacompliant.co.uk

email security

Writing, sending and receiving emails is now taken for granted as just a part of everyday life. This may be why there are so many varied opportunities for error and carelessness. Some of the most common issues are summarised below:

if the contents of an email are sensitive, the email should be encrypted or password protected.

when you start to type in the name of the recipient, your software may automatically suggest similar addresses which you have used before. For example, I have a few Johns in my address book whom I email regularly. Each time, the auto-complete function offers me several Johns and I have to force myself to remember to check that I have picked up the right address before clicking “send”.

Group email addresses are a useful tool, but it is always worth double-checking who is included within the group and be certain that you eliminate anybody who should not receive your message.

If you want to copy someone on an email, but don’t want to share their email address, use the bcc function rather than the cc. When you use cc, all recipients will be able to see he email addresses of all other recipients to whom the email was sent.

Interesting (if irrelevant) note –we still use the term cc, which stands for carbon copy – going back to the days of typewriters when a sheet of coated carbon paper was placed between two or more sheets of paper. The pressure of the typewriter keys on the carbon papers would cause the ink to be transferred to the additional sheet(s) of paper, thus providing carbon copies. Bcc, of course, stands for blind carbon copy.

When sending a sensitive email from a secure server to a recipient whose server is insecure, the security of that email will be jeopardised. Always check the security of your recipient’s server / provider before sending your message.

Use spam filters on your computers, or use an email provider that offers spam filtering services.

Staff Training

Training your staff to keep data secure is also vital. Staff can be held responsible for data compliance breaches and may sue their company if they have not been given essential training.

Did you know that your staff can be prosecuted if they deliberately give out personal details without permission? So it’s essential that their access to personal or sensitive data is limited purely to what they need to do their job, and they are trained to understand what they can and cannot do. For example:

Discretion Your staff may receive enquiries from people who are trying to obtain personal details dishonestly – teach them how to handle such enquiries so that they cannot be tricked into providing inappropriate information.

Passwords Ensure your staff use strong passwords. The longer the better, and greater strength can be gained by combining letters, numbers, punctuation and other special characters, while using both upper and lower case letters.

Confidentiality It is, of course, essential that members of staff do not share their passwords or knowledge of sensitive or personal data with colleagues or friends.

Professionalism Staff members should be trained to be professional in their communications, and avoid any offensive communications, emails, or inappropriate dissemination of the details of other people or their private lives. They must be trained to understand that their inappropriate behaviour can bring your business into disrepute.

Spam They should not open spam – not even to unsubscribe or ‘request no further mailings’. If you do not have spam filters on your computers, when they receive spam, your staff members should be instructed that, when they receive spam, the email should be deleted.

Financial information They should be taught not to believe emails that appear to come from a bank or building society that asks for account or credit card details or password information

If you would like to discuss staff training with Data Compliant, please contact victoria@datacompliant.co.uk

Data Breaches

Data security falls into a number of areas. Based on the ICO’s stated data breaches from April to July 2013, it is clear that security and staff training are critical elements in protecting the personal data you hold. The types of breach noted during that period are illustrated in the diagram below. It is notable just how significant security and staff training are in the prevention of protecting personal and sensitive data.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B. With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals. We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance, security or governance needs, please contact Victoria or Michelle on 01787 277742 or by email – victoria@datacompliant.co.uk or michelle@datacompliant.co.uk